Skip to main content

Powershell Automation Basics - Part 1

Pentest Notes: PowerShell Automation - Basics

Pentest Notes: PowerShell Automation - Basics

These notes cover PowerShell automation for penetration testing, focusing on practical applications and techniques.

What is PowerShell?

A powerful scripting language and command-line shell built on the .NET framework, heavily integrated with Windows. Ideal for system administration and automation, making it a valuable tool for pentesters.

Why PowerShell for Pentesting?

  • Native to Windows: Pre-installed on most Windows systems.
  • Object-oriented: Allows for complex data manipulation and interaction with APIs.
  • Access to .NET Framework: Enables interaction with a vast library of classes and functions.
  • Remoting capabilities: Execute commands on remote systems.
  • Bypass security restrictions: Can be used to circumvent some security measures if not properly configured.

Basic Syntax

  • Cmdlets: Commands in PowerShell (e.g., Get-Process, Get-Service, Get-ChildItem).
  • Pipes (|): Used to chain cmdlets, passing the output of one cmdlet as input to the next.
  • Objects: PowerShell works with objects, not just text.
  • Variables: Use $ to define variables (e.g., $process = Get-Process).

Key Cmdlets for Pentesting

  • System Information Gathering:
    • Get-WmiObject: Access WMI (Windows Management Instrumentation) for detailed system information (e.g., OS version, hardware details, installed software).
    • Get-ComputerInfo: Provides a summary of computer information.
    • Get-Process: Lists running processes.
    • Get-Service: Lists services.
    • Get-LocalUser: Lists local users.
    • Get-NetIPAddress, Get-NetAdapter: Network information.
  • File System Interaction:
    • Get-ChildItem: Lists files and directories (equivalent to dir or ls).
    • New-Item: Creates files and directories.
    • Remove-Item: Deletes files and directories.
    • Get-Content: Reads file content.
    • Set-Content: Writes content to a file.
  • Networking:
    • Test-NetConnection: Checks network connectivity and port status (equivalent to ping or telnet).
    • Invoke-WebRequest: Sends HTTP requests (useful for web application testing).
  • Security:
    • Get-EventLog: Retrieves event logs (useful for post-exploitation and log analysis).
    • Get-Acl: Retrieves Access Control Lists (ACLs) for files, directories, and other objects.
  • Execution:
    • Invoke-Expression: Executes a string as a PowerShell command (use with caution due to security risks).
    • Start-Process: Starts a new process.
  • PowerShell Remoting:
    • Enabling Remoting: Enable-PSRemoting.
    • Connecting to Remote Systems: Enter-PSSession -ComputerName "hostname/IP".
    • Executing Commands Remotely: Invoke-Command -ComputerName "hostname/IP" -ScriptBlock { "Commands" }.
    • CredSSP: Delegate credentials for multi-hop scenarios.

Exploitation Techniques

  • Bypassing Execution Policies:
    • Set-ExecutionPolicy Bypass -Scope Process: Bypasses execution policy for the current process.
    • Encoding/Obfuscation: Techniques to evade detection by security software.
  • Credential Dumping:
    • Mimikatz: A powerful tool for extracting credentials from memory (often used with PowerShell).
    • PowerShell scripts for extracting credentials from LSASS.
  • Lateral Movement:
    • Using PowerShell Remoting and credential theft to move between systems within a network.
    • Web Shells: Deploying web shells using PowerShell for persistent access.

Defense Evasion

  • Obfuscation: Encoding, string manipulation, and other techniques to make PowerShell scripts harder to analyze.
  • AMS (Antimalware Scan Interface) Bypass: Techniques to avoid detection by AMS.
  • Logging and Monitoring Evasion: Techniques to minimize logging and avoid detection by security monitoring tools.

Resources and Tools

  • PowerSploit: A collection of PowerShell modules for penetration testing.
  • Nishang: Another collection of PowerShell scripts and modules for offensive security.
  • Invoke-Obfuscation: A PowerShell obfuscation framework.
  • Empire: A post-exploitation framework that uses PowerShell agents.
  • PSAttack: PowerShell Attack Framework.

Best Practices

  • Code Review: Always review PowerShell scripts before executing them.
  • Principle of Least Privilege: Use the minimum necessary privileges when executing PowerShell commands.
  • Logging and Monitoring: Implement proper logging and monitoring to detect malicious PowerShell activity.
  • Constrained Language Mode: Restricts PowerShell to a subset of its functionality, limiting the impact of malicious scripts.
  • Application Control: Whitelisting allowed PowerShell scripts and modules.

Example Snippets

  • Get System Info: 
    Get-WmiObject Win32_OperatingSystem | Select-Object Caption, Version, BuildNumber
  • Check Port: 
    Test-NetConnection -ComputerName <IP/Hostname> -Port <Port>
  • Download File: 
    Invoke-WebRequest -Uri <URL> -OutFile <LocalPath>

IX. Conclusion

PowerShell is a powerful tool for penetration testing. Understanding its capabilities and limitations is essential for both offensive and defensive security. These notes provide a starting point for learning PowerShell automation for pentesting. Continuous learning and practice are key to mastering this valuable skill.

This outline provides a more structured and comprehensive set of notes. Remember to practice these techniques in a safe and legal environment.

Comments

Post a Comment

Popular posts from this blog

Pivoting Commands

Pivoting for Red Teamers Pivoting in Red Team Operations: A Complete Guide Introduction In a real-world red team operation , gaining initial access is just the beginning. The real challenge is pivoting —the ability to move laterally, escalate privileges, and compromise additional systems within the network. What is Pivoting? Pivoting is a technique used to route traffic through a compromised host to access internal networks that are not directly reachable. Types of Pivoting Network Pivoting : Routes network traffic through a compromised host (e.g., SSH Tunneling, Metasploit, ProxyChains). Port Forwarding : Exposes specific ports from an internal machine to the attacker (e.g., SSH Local Port Forwarding). Step 1: Pivoting Using Metasploit Setting Up a Pivot via Meterpreter meterpreter> backgroun...
Post a Comment
Read more

SQLDB Pentest

Pivoting for Red Teamers SQL Database & SQL Injection Pentesting Cheat Sheet SQL databases store crucial application data, and misconfigurations can make them vulnerable to SQL Injection (SQLi) attacks. This guide covers database enumeration, privilege escalation, and SQL injection techniques. Step 1: Identifying SQL Database Type Check the database type by sending payloads in the input fields or URL: ' OR 1=1 -- (MySQL, PostgreSQL, MSSQL) ' UNION SELECT 1,2,3 -- (Check column count) ' AND 1=CONVERT(int,@@version) -- (MSSQL Test) Observe the error messages for database identification. Step 2: Enumerating Database Tables & Columns Use SQL queries to extract database structure. For MySQL: SELECT table_name FROM information_schema.tables WHERE table_schema=DATABASE(); SELECT column_name FROM information_schema.columns WHERE table_name='user...
Post a Comment
Read more